[openstack-dev] [nova] whitelist/blacklist for Nova V3 extensions
Russell Bryant
rbryant at redhat.com
Fri May 31 13:08:15 UTC 2013
On 05/31/2013 08:10 AM, Sean Dague wrote:
> On 05/31/2013 03:25 AM, Christopher Yeoh wrote:
>> Hi,
>>
>> I've proposed a patch which adds the ability to whitelist which
>> extensions are loaded for the V3 API (anything which is not in the
>> whitelist is not loaded) and to blacklist extensions (anything in the
>> blacklist is not loaded).
>>
>> https://review.openstack.org/#/c/29487
>> <https://review.openstack.org/#/c/29487/6>
>>
>> There is also a check to see if something is in both the blacklist and
>> the whitelist as this may be an indication of a misconfiguration and
>> currently the code just does a LOG warn. The question is whether it
>> should instead raise an exception which will effectively abort the
>> nova-api process.
>>
>> Do people think there are any circumstances where someone would
>> intentionally want to both blacklist and whitelist an extension?
>> Presumably if it happened it would only be a temporary thing anyway as
>> they could otherwise just remove it from the whitelist.
>
> Every time I've seen whitelist / blacklist implemented, blacklist trumps
> whitelist. Because configuration can come from multiple places (config
> file, args), I think it's entirely possible that whitelist and blacklist
> could both have values, and be set from different locations in such a
> way that the admin flipping the blacklist on didn't no the extensions
> was specified in a whitelist elsewhere.
>
> So I think throwing a warning is good, but it should default to
> blacklisted behavior if it's in both lists.
+1
--
Russell Bryant
More information about the OpenStack-dev
mailing list